SQL Security in DMZ

[David Wimbush]

I have just been handed the role of DBA and, while I think I'm pretty
solid on SQL security within the domain (I'm a Windows app
developer),
the web side of things is fairly new ground for me. I would really
appreciate some help.

We have an IIS 6 server in our DMZ running web sites and web services
that talk to our SQL server 2005 inside our firewall. I see that the
sites and services all use SQL logins and passwords which they store
in their web.config files in plain text. I can't imagine that this is
best practice but I'm struggling to establish what is. I'm seeing a
variety of recommendations but I just don't know enough about IIS,
domains, etc to tell which is best.

These sites and services were all developed in-house so I can fix
them
once I know how to go about it. Can you suggest the proper way to
handle this and/or point me to resources that explain how to choose
an
approach and how to implement it, please? Thanks.

[Hilary Cotter]

This is a poor security practice. Many developers recommend you encrypt the
login and password with Shah1 or MD5 encryptions, which raises the bar
slightly.

The best security practice is simply not to store them there at all, but to
hard code them in your code. When you do this, ensure you encrypt them there
as well as you can read strings in binaries by using the type command or a
text editor.

--
RelevantNoise.com - dedicated to mining blogs for business intelligence.

Looking for a SQL Server replication book?
http://www.nwsu.com/0974973602.html

Looking for a FAQ on Indexing Services/SQL FTS
http://www.indexserverfaq.com
"David Wimbush" <david_...@hotmail.com> wrote in message
news:1187701610.0...@a39g2000hsc.googlegroups.com...